topic Can't ping internal network via VPN site-2-site in VPN

Can't ping internal network via VPN site-2-site

sifurobbie — Thu, 31 May 2012 14:50:28 GMT

I have the following VPN site-2-site configuration.

The trouble I'm having is host 172.168.88.3 in site A is not able to ping 172.168.200.3 in site B and visa versa. Think I have added the static routes and ACLs correctly on the 3560 switches (acting as gateways) and both PIX's to access the internal networks. Host 172.168.9.3 can ping 172.168.200.3 fine. Any advice is appreciated.

Many thanks.

My configs are as follows:

PIX A

PIX Version 8.0(3)

hostname PIX-A

enable password u18hqwudty78klk9s encrypted

names

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.x.250 255.255.255.240

interface Ethernet1

nameif inside

security-level 100

ip address 172.168.9.1 255.255.255.0

passwd uh78mklh78yMs encrypted

banner login This is a private network. Unauthorised access is prohibited!

banner motd This is a private network. Unauthorised access is prohibited!

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BST recurring 1 Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup outside

dns server-group Ext_DNS

name-server 82.72.6.57

name-server 63.73.82.242

object-group network LOCAL_LAN

network-object 172.168.9.0 255.255.255.0

network-object 172.168.88.0 255.255.255.0

object-group service Internet_Services tcp

port-object eq www

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq 8080

port-object eq ssh

port-object eq telnet

object-group network WAN_Network

network-object 172.168.200.0 255.255.255.0

access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log

access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log

access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log

access-list ACLOUT extended permit ip 172.168.88.0 255.255.255.0 172.168.200.0 255.255.255.0 log

access-list ACLIN extended permit icmp any any echo-reply log

access-list ACLIN extended permit icmp any any unreachable log

access-list ACLIN extended permit icmp any any time-exceeded log

access-list ACLIN extended permit ip 172.168.200.0 255.255.255.0 172.168.9.0 255.255.255.0 log

access-list split_tunnel_list standard permit 172.168.9.0 255.255.255.0

access-list split_tunnel_list remark LOCAL_LAN log

access-list NONAT extended permit ip object-group LOCAL_LAN 172.168.100.0 255.255.255.0 log

access-list inside_nat0_outbound extended permit ip 172.168.9.0 255.255.255.0 172.168.200.0 255.255.255.0 log

access-list outside_cryptomap_20 extended permit ip 172.168.9.0 255.255.255.0 172.168.200.0 255.255.255.0 log

pager lines 24

logging enable

logging buffered informational

logging trap informational

logging host inside 172.168.88.3

mtu outside 1500

mtu inside 1500

ip local pool testvpn 172.168.100.1-192.168.100.99

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/pdm

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ACLIN in interface outside

access-group ACLOUT in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.45 1

route inside 172.168.88.0 255.255.255.0 172.168.88.254 1

route inside 172.168.199.0 255.255.255.0 172.168.199.254 1

route outside 172.168.200.0 255.255.255.0 172.168.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.168.9.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Set_1 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map outside_dyn_map 1 set transform-set Set_1

crypto dynamic-map outside_dyn_map 1 set reverse-route

crypto map outside_map 1 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer x.x.x.253

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

no crypto isakmp nat-traversal

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

ntp server 130.88.203.12 source outside prefer

group-policy testvpn internal

group-policy testvpn attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

username Viv password ZdlkjGlOTGf7dqdb encrypted

tunnel-group testvpn type remote-access

tunnel-group testvpn general-attributes

address-pool testvpn

default-group-policy testvpn

tunnel-group testvpn ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.253 type ipsec-l2l

tunnel-group x.x.x.253 ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:bb6ead3350227b3745c14b9ba340b84a

: end

PIX B

PIX Version 8.0(3)

hostname PIX-B

enable password ul;jk89A89hNC0Ms encrypted

names

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.x.253 255.255.255.240

interface Ethernet1

nameif inside

security-level 100

ip address 172.168.200.1 255.255.255.0

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

passwd 2ljio897hFB.88fU encrypted

banner motd This is a private network. Unauthorised access is prohibited!

ftp mode passive

dns domain-lookup outside

dns server-group Ext_DNS

name-server x.x.x.57

name-server x.x.x.242

object-group network LOCAL_LAN

network-object 172.168.200.0 255.255.255.0

object-group service Internet_Services tcp

port-object eq www

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq 8080

object-group network WAN_Network

description WAN networks

network-object 172.168.88.0 255.255.255.0

access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain

access-list ACLOUT extended permit icmp object-group LOCAL_LAN any

access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services

access-list ACLIN extended permit icmp any any unreachable

access-list ACLIN extended permit icmp any any time-exceeded

access-list ACLIN extended permit icmp any any echo-reply

access-list ACLIN extended permit ip 172.168.88.0 255.255.255.0 172.168.200.0 255.255.255.0

access-list ACLIN extended permit ip 172.168.9.0 255.255.255.0 172.168.200.0 255.255.255.0

access-list ACLIN extended permit ip 172.168.199.0 255.255.255.0 172.168.200.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.168.200.0 255.255.255.0 172.168.9.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 172.168.200.0 255.255.255.0 172.168.9.0 255.255.255.0

pager lines 24

logging enable

logging monitor debugging

logging buffered debugging

logging trap informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ACLIN in interface outside

access-group ACLOUT in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.253 1

route outside 172.168.88.0 255.255.255.0 172.168.200.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer x.x.x.250

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

tunnel-group x.x.x.250 type ipsec-l2l

tunnel-group x.x.x.250 ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:ccb8392ce529a21c071b85d9afcfdb30

: end

3560 G/W

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname 3560_GW

enable secret 5 $1$cOB4$Uklj8978/jgWv?Tssp

no aaa new-model

system mtu routing 1500

ip subnet-zero

ip routing

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

interface GigabitEthernet0/1

interface GigabitEthernet0/2

description uplink to Cisco_ASA

switchport access vlan 9

interface GigabitEthernet0/3

interface GigabitEthernet0/4

interface GigabitEthernet0/5

interface GigabitEthernet0/6

interface GigabitEthernet0/7

interface GigabitEthernet0/8

interface GigabitEthernet0/9

interface GigabitEthernet0/10

interface GigabitEthernet0/11

interface GigabitEthernet0/12

interface GigabitEthernet0/13

interface GigabitEthernet0/14

interface GigabitEthernet0/15

interface GigabitEthernet0/6

interface GigabitEthernet0/7

interface GigabitEthernet0/8

interface GigabitEthernet0/9

interface GigabitEthernet0/10

interface GigabitEthernet0/11

interface GigabitEthernet0/12

interface GigabitEthernet0/13

interface GigabitEthernet0/14

interface GigabitEthernet0/15

interface GigabitEthernet0/16

interface GigabitEthernet0/17

interface GigabitEthernet0/18

interface GigabitEthernet0/19

interface GigabitEthernet0/20

interface GigabitEthernet0/21

interface GigabitEthernet0/22

interface GigabitEthernet0/23

switchport access vlan 88

switchport mode access

spanning-tree portfast

interface GigabitEthernet0/24

switchport access vlan 9

switchport mode access

spanning-tree portfast

interface GigabitEthernet0/25

description trunk to A_2950_88 port 1

switchport trunk encapsulation dot1q

interface GigabitEthernet0/26

interface GigabitEthernet0/27

description trunk to A_2950_112 port 1

switchport trunk encapsulation dot1q

shutdown

interface GigabitEthernet0/28

interface Vlan1

no ip address

shutdown

interface Vlan9

ip address 172.168.9.2 255.255.255.0

interface Vlan88

ip address 172.168.88.254 255.255.255.0

interface Vlan199

ip address 172.168.199.254 255.255.255.0

ip classless

ip route 0.0.0.0 0.0.0.0 172.168.9.1

ip route 172.168.88.0 255.255.255.0 172.168.9.1

ip route 172.168.100.0 255.255.255.0 172.168.9.1

ip route 172.168.200.0 255.255.255.0 172.168.9.1

ip http server

control-plane

banner motd ^C This is a private network.^C

line con 0

line vty 0 4

line vty 5 15

end

Can't ping internal network via VPN site-2-site

Vishnu Sharma — Thu, 31 May 2012 19:05:21 GMT

Hi Robert,

I went through the configuration on both the PIX firewalls and I see that the traffic is not defined for 172.168.88.0/24-->172.168.200.0/24.

If you check the crypto map configuration on the PIX A, it says:

crypto map outside_map 20 match address outside_cryptomap_20 <--This acl defines interesting traffic

and the acl outside_cryptomap_20 says:

access-list outside_cryptomap_20 extended permit ip 172.168.9.0 255.255.255.0 172.168.200.0 255.255.255.0 log

Same is the case on the PIX B:

crypto map outside_map 20 match address outside_cryptomap_20

access-list outside_cryptomap_20 extended permit ip 172.168.200.0 255.255.255.0 172.168.9.0 255.255.255.0

To allow users to talk to each other, apply these commands:

On the PIX A:

access-list outside_cryptomap_20 extended permit ip 172.168.88.0 255.255.255.0 172.168.200.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.168.88.0 255.255.255.0 172.168.200.0 255.255.255.0

and on PIX B:

access-list outside_cryptomap_20 extended permit ip 172.168.200.0 255.255.255.0 172.168.88.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.168.200.0 255.255.255.0 172.168.88.0 255.255.255.0

Let me know if this helps.

Thanks,

Vishnu Sharma

Can't ping internal network via VPN site-2-site

sifurobbie — Mon, 11 Jun 2012 14:05:25 GMT

Hi Vishnu,

Thank you for your reply to my post.

I now have the 172.168.88.0 network talking to the 172.168.200.0 network after applying your suggested commands.

I also tried with the following commands on each PIX and the networks can still talk to each other.

access-list outside_cryptomap_20 extended permit ip object-group LOCAL_LAN object-group WAN_Network

access-list inside_nat0_outbound extended permit ip object-group LOCAL_LAN object-group WAN_Network

Very grateful for your help.

Best Regards,

Robert

Can't ping internal network via VPN site-2-site

sifurobbie — Thu, 21 Jun 2012 10:01:22 GMT

Hi Vishnu,

I had nat (inside) 0 access-list NONAT for an access list I use for the remote VPN access on PIX A. But it seems that when I added the line nat (inside) 0 access-list inside_nat0_outbound to enable my internal networks to communicate over the site-2-site connection, it cancels out nat (inside) 0 access-list NONAT. Would you know the reason why please?

Many thanks,

Rob